Active Directory

Douglas E. Engert deengert at anl.gov
Mon Dec 9 17:20:38 EST 2013 

On 12/6/2013 11:24 PM, Scott Arciszewski wrote:
> Quick question,
>
> I'm developing some applications that use LDAP to authenticate users (it's
> a corporate environment). However, I do not have admin access to the server
> that hosts LDAP and thus cannot examine the hashes, so I've been doing some
> reading and talking with other devs about this... but I've reached a dead
> end.
>
> Here's what I know: AD used to use LM hashes, they migrated to Kerberos a
> while back. I cannot for the life of me find out if they still store hashes
> on the server, because Microsoft's documentation is equal parts
> labyrinthine and sparse.
>
> Questions:
> Does Kerberos mitigate the need to store hashes in a database, registry, or
> filesystem?

Yes.

> If not, how does Kerberos stack up to a password-hashing scheme like PBKDF2
> or scrypt? (A quick glance at the Github page reveals that DES is still
> allowed, but deprecated.)
> How well do the Kerberos maintainers believe Microsoft implemented the
> protocol for Active Directory?

Very well. Microsoft developers have been IETF Kerberos working group chairs
and active in the working group over the years.

http://msdn.microsoft.com/en-us/library/cc233855.aspx

[MS_KILE]  last updated 11/14/2013 is a document that
shows how Microsoft's implementation of Kerberos complies to the RFCs,
and what extensions they have Added.

>
> Thanks for your time, if you don't have time to write out an answer but
> know of links to refer to me to, I'd greatly appreciate the help!

Other things to search for:
   SSPI GSS-API - shows how Microsodt SSP implements GSS_API protocols.
   includes PuTTY for ssh from Windows.

    "windows integrated authentication" Kerberos
    Browser use of Kerberos, including FireFox and Chrome

    mod_auth_kerb -   Apache use of Kerberos with the above.

    java Krb5LoginModule - using Kerberos to from Java,
            AD can be the KDC.

    pam_krb5  -  Kerberos login whch can use AD as the KDC.

    msktutil  - manage keytabs on Unix with AD as the KDC.

And my all time favorite...

    http://technet.microsoft.com/en-us/library/bb742433.aspx

Its for Windows 2000, but explains a lot of the basics.



>
> Scott
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list